XSS and X-XSS protection - what's the difference?

XSS and X-XSS protection - what's the difference?

Polaris offers multiple forms of protection against XSS (Cross-Site Scripting). One of them is using OWASP Rules and another is the use of security headers in the browser (X-XSS-Protection).

For XSS in OWASP, Polaris detects if a user is trying to inject XSS into the website, detecting when an attacker or controlled victim sends a request to the origin. Polaris will block it and trigger an incident alert on Security Events

For X-XSS in Security Headers, browsers check for reflected XSS right before displaying the page.

In Polaris, there are 3 options for X-XSS Protection:
1) Off
2) Sanitize Script: Sets X-XSS-Protection: 1, this will filter XSS out, the browser will sanitize the unsafe (XSS) parts.
3) Block ScriptSets X-XSS-Protection: 1; mode=block. If an XSS attack is detected, the browser will prevent the rendering of the page.

Apart from XSS (OWASP Rules) and X-XSS-Protection (Security Headers), Polaris can also help guard against XSS attacks using a Content Security Policy. 

To find out more about X-XSS-Protection, refer to the Mozilla Developer Network Documentation

    • Related Articles

    • DDoS Protection & Rate Limiting

      What are DDoS attacks? Distributed Denial of Service (DoS) attacks usually consist of a large number of requests to your website made by bots. This can result in server lag, your website becoming unreachable due to the bandwidth allocated to your ...
    • Content Security Policy (CSP)

      What is CSP? Content Security Policy (CSP) is a browser mechanism that can help to prevent some types of cross-site scripting (XSS), clickjacking and other code injection attacks that result from the execution of malicious content in the trusted web ...
    • Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) - what are they?

      Content Security Policy (CSP)CSP is a browser mechanism that can help detect and prevent some common web attack types such as Cross-Site Scripting (XSS). As most modern websites require dynamic content to be loaded, it is important that dynamically ...
    • Security Headers

      What are security headers? Security headers are HTTP headers which are set in the responses sent from the origin server to the visitor. These headers define the behaviour of the browser when viewing the webpage and help to prevent common attacks such ...
    • Attacks - what does Polaris detect and do?

      Polaris identifies a vast amount of threats that might occur against your site. While the contents in this article are not exhaustive, it covers the more widespread and common attack types that are likely to occur against your site as well as some of ...